I have a k8s cluster running on GKE. This cluster uses nginx-ingress to expose some services to the internet. I would like to configure IP whitelisting for a subset of these services, for that I'm using nginx.ingress.kubernetes.io/whitelist-source-range
, e.g:
kind: Ingress
metadata:
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/add-base-url: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 30M
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/whitelist-source-range: 81.x.x.x
generation: 7
name: my-apps
namespace: client-apps
spec:
rules:
- host: somehost.com
http:
paths:
- backend:
serviceName: app1
servicePort: 8080
With this config my service isn't accessible from a client with that IP. In the NGINX ingress logs I see:
10.0.0.36 - [10.0.0.36] - - [18/Feb/2019:10:34:34 +0000] "GET /xxx HTTP/2.0" 403 0 "https://xxx" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.109 Safari/537.36"
So the ingress blocks the access of a request from 10.0.0.36. However the actual client IP is 81.x.x.x. Is there a way to filter by the original IP?